While the UK data protection law existed before 2018, the Data Protection Act 2018 was a momentous step forward. Learn more about this legislation and understand its importance for your business.
Since its inception, the Data Protection Act (DPA) 2018 has empowered individuals to take control of their personal data and protect their rights, which is particularly important with evolving technological advances.
In 2018, the Data Protection Act 2018 (DPA 2018) became the main data protection law of the UK. It was passed to line up the UK's national legislation with the EU GDPR. The DPA 2018 details the main requirements for protecting the personal data of UK individuals processed by businesses in the UK or globally.
When the UK left the EU, the UK GDPR was passed and came into effect in February 2021. Before 2018, the UK passed the Privacy and Electronic Communication Regulations (PECR) 2003 to transpose the EU's ePrivacy Directive into national law.
These regulations set the rules for the security of electronic communication, cookies, and direct marketing. In short, the DPA 2018, the UK GDPR, and the PECR form the foundations of UK data protection law.
This act is essential as it compels individuals to take charge of their personal data, enabling businesses to process it lawfully. This means that individuals now have the right to:
The Information Commissioner's Office (ICO) provides additional guidance on these rights for companies. Businesses must also conduct training at least once a year to educate both permanent and temporary employees on implementing the DPA 2018 in their daily responsibilities.
The ICO offers further guidance on these rights for companies. Firms also need to provide training on at least an annual basis to educate their employees, permanent or temporary, on how to implement DPA 2018 in their day-to-day responsibilities.
For example, the Data Protection Act 2018 (DPA 2018) offers more robust legal protection for special category data like health, criminal offences, or ethnic background. However, this means that employees must follow special conditions when processing this data type rather than just relying on the traditional legal basis.
As well as updating UK data protection laws to account for digital technology, social media, and big data, the DPA 2018 also transposes the EU Law Enforcement Directive (LED) into UK law and develops a specific data protection regime for intelligence services. The LED regime rules are essential for relevant authorities processing data for law enforcement purposes.
On the other hand, the requirements for UK intelligence services are based on standards within modernised Convention 108 (The Council Of Europe Convention For The Protection Of Individuals Concerning Automatic Processing of Personal Data).
The DPA 2018 contains seven main sections known as 'Parts' to be used in conjunction with 20 schedules that provide additional explanations and guidance for these 'Parts’. This means that:
1. UK Data Protection Law can have a wide remit
The DPA 2018 applies to your business, regardless of its size, if you hold and use (process) an individual's personal information. This includes details such as names, personal email addresses and phone numbers as part of your regular business activities. The ICO offers further guidance to determine if the UK data protection rules apply to you. The ICO offers further guidance to determine if the UK data protection rules apply to you.
2. Complying with data protection rules will improve your reputation
When you handle and store personal data correctly, it is easier to find and keep it accurate. Paying your fee on time shows customers that you can be trusted and also demonstrates to other organisations that you are worth doing business with. You can take this assessment on the ICO website to determine whether your business needs to pay a fee.
3. Not all types of data fall under the DPA 2018
This type of data includes business information such as generic email addresses or financial statements that do not contain a name. It could also include any information about a deceased person or paper records that are not meant to be part of a filing system. The ICO also offers further detailed guidance on what personal data is and is not.
4. Neither the ICO nor the DPA 2018 can state training specifications
As every firm is different and the ICO wants an organisation to take responsibility for staff training, it expects firms to create training plans based on UK data protection principles and guidelines. To simplify the process, ensure that data protection training is regularly updated and covers both the basics and instructions on handling incidents if something goes wrong.
5. Regularly review data protection feedback & complaints
Your business needs to review any complaints and negative feedback to avoid repeating the same mistakes and any enforcement action from the ICO. Some of the most common complaints include:
6. Harsher penalties with the DPA 2018 rather than the 1998 Act
While the 1998 Act permitted the ICO to issue penalties of up to £500,000, the DPA 2018 goes further than this. It allows the enforcement of penalties of up to £17 million or 4% of a company's annual turnover.
This can be seen in practice with a £4.4 million fine against Interserve Group Limited, a construction company, for failing to secure the personal information of its staff.
Additionally, the ICO has fined Clearview AI Inc. more than £7.5 million as they used individuals' images from the web and social media to create a facial recognition database without their permission.
7. A Data Protection Impact Assessment (DPIA) can help you minimise risk
If your company is undertaking projects which will process a lot of personal or sensitive data, it is helpful to conduct a DPIA to reduce the risk. The ICO offers a guide as well as a template for this purpose.
8. Consider the best lawful basis for processing children's data
You need a more robust lawful basis for processing children's data as they will be less aware of the data protection risks. If you want to rely on consent as your lawful means to process, you must ensure that the child understands what they have agreed to.
On the other hand, if you rely on the basis that processing is 'necessary for the performance of a contract,' then you need to assess whether the child understood what they were getting into when they signed the contract.
9. Businesses are not allowed to charge a fee for a Subject Access Request (SAR)
Before the DPA 2018, companies could charge individuals a fee for responding to a SAR. Now, businesses can only charge an administrative fee if the request is unfounded or excessive. If this is the case, your company must inform the relevant individual as soon as possible.
10. A breach only needs to be reported if personal data is involved
When a breach occurs, you first need to establish if personal data is involved and what type of personal data breach has occurred. Then consider who now has access to this data in error and how many individuals may be affected.
Next, assess the risk of this personal breach, especially if you believe this action has caused them harm. Then, act to protect those affected by trying to contain the breach. Finally, document your investigation into this breach and complete a report to the ICO within 72 hours, if necessary.
To avoid any penalties under the DPA 2018 and allow customers to take back control of their data, a company must:
The business requirements under the UK GDPR will depend on whether you are a controller, joint controller, or processor. Controllers are entities that decide what personal data to process and why, i.e. they have a purpose for the data.
A processor is a company that acts only on a client's (who could be a controller) instructions, meaning that it does not have its purpose for processing data.
Additionally, if two or more controllers decide to process the same personal data for the same purpose, they are considered joint controllers. However, controllers are not considered joint if they process the same data for different purposes. If you are unsure as to the type of role you have, the ICO offers further guidance.
Controllers must comply with all the requirements under the DPA 2018 and pay the data protection fee unless they are exempt. There are three different tiers of fees for controllers, which Parliament sets depending on the level of risk posed by data processing by a particular controller. This fee is paid to the ICO to enforce the provisions of GDPR.
If you are required to pay a fee and fail to do so, you could be fined up to £4,000. Processors are exempt from paying the fee but must follow several processing obligations. Joint controllers can mutually decide who will be responsible for complying with the DPA 2018.
Both the ICO and individuals can take enforcement action against a processor, controller, or joint controller.
Employees will also need to be trained on UK data protection law updates as the DPA 2018 goes further than the EU GDPR in many instances. These include:
Companies must also explain how and why they use personal data and how individuals can exercise their rights under DPA 2018. These rights include:
This is because DPA 2018 requires companies to be more transparent about why they are collecting data, whereas the 1998 Act did not.
The UK GDPR establishes seven data protection principles. We will explore these principles and explain how businesses can incorporate them into their compliance programs.
Stats suggest that only 59% of companies believe they currently meet all GDPR requirements, highlighting a worrying gap in the safety of our personal information.
The UK GDPR (General Data Protection Regulations) and the Data Protection Act (DPA) work together to regulate data protection and privacy. GDPR sets out the core rules, while the DPA adds UK-specific details, exemptions, and provisions.
Breaching General Data Protection Regulations (GDPR) can be costly. The social media sharing company, TikTok, is the latest big business to be named and shamed, with a colossal £12.7m fine for misusing data.
But organisations of all sizes risk proportionate fines, other penalties and reputational damage if they fail to get to grips with GDPR’s requirements and the Data Protection Act 2018 principles.
So, what are the seven principles of the Data Protection Act? They’re globally accepted guidelines designed to help you make sure personal data remains private and secure. According to the UK's Information Commissioner's Office (ICO), they lie at the heart of UK GDPR.
Set out at the very beginning of the legislation, they inform everything that follows. The seven are:
1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability
So, what do these principles mean for you and your day-to-day operations?
1. Lawfulness, fairness, and transparency
ICO further explains that: “Personal data must be collected and processed lawfully, fairly, and transparently, and individuals must be told about its collection and use.”
This means you can only collect personal data legally and use it for reasons that people might reasonably expect while being open and honest about why and how you collect it. It also means you can’t discriminate against people based on their data.
2. Purpose limitation
“Personal data must be collected only for specified, explicit, and legitimate purposes, and not further processed or used in a way that’s incompatible with those purposes.”
Essentially, this means letting people know your reasons for collecting data and ensuring you only use it for those purposes. If you decide to use the data for another reason later on, you need the person’s explicit consent first.
3. Data minimisation
“Personal data must be adequate, relevant, and limited only to what’s necessary for the processing purpose.” In other words, only collect the data you need to carry out your goals and don’t ask for info you don’t need.
4. Accuracy
“Personal data must be accurate and, where necessary, kept up to date. Inaccurate or incomplete data must be corrected or deleted.”
You’re responsible for making sure the data you collect and store is accurate and current, and have procedures in place to check it is. The person also has the right to ask you to correct or delete wrong information.
5. Storage limitation
“Personal data must not be kept for longer than is necessary for the purposes for which it is processed.”
While GDPR has no set time limits for keeping data, you should delete it – using a secure process – as soon as it’s served its purpose.
6. Integrity and Confidentiality
“Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.”
You need to ensure that you have due diligence, as well as operational and technical processes in place, to keep data secure both internally and externally. In the event of a breach, you must let people know immediately.
7. Accountability
“The controller or processor is responsible for complying with these principles and must be able to demonstrate compliance.” Lip service isn’t enough.
GDPR sets out that whoever's responsible for deciding how and why personal data is collected – whether a person or a company – must ensure it meets these principles. You must also be able to show this to individuals or regulators if asked.
There are a number of things you can do to help ensure you comply with the principles of data protection.
Stay on the right side of lawfulness, fairness, and transparency by developing a privacy policy that clearly explains how personal data will be collected, processed and used and ensures your data subjects can access the same information. And make sure you always get explicit consent from people before you process sensitive data.
Consider using a data protection impact assessment (DPIA) tool. The DPIA tool helps to identify and minimise the data protection risks of a particular project. Complying with each of the data protection principles:
Hackers aside, unforeseen events can also disrupt your operations. Therefore, it's essential to regularly back up your files to ensure you can recover your data if the worst occurs.
Following the steps above, such as using DPIA tools and policies, will show your commitment to accountability. Keeping accurate records of your processing activities is also a good way of demonstrating your commitment to the principles.
If you don't have one already, think about appointing a dedicated Data Protection Officer to oversee everything. And, of course, providing your people with data protection training that covers the seven data protection principles can support best practices.
As a framework, the principles help you set clear parameters for collecting, processing and storing personal data. They ensure transparency and show your commitment to protecting people's data and privacy rights – building trust.
People also have the option to sue you for damages. Awards vary depending on the distress caused but can range from hundreds for a minor breach to tens of thousands of pounds for one that causes physical or emotional distress.
In addition to, or instead of, fines, regulators can order you to take remedial action or revoke or suspend your ability to process data. Regardless of the action taken, you can guarantee it'll instantly destroy any hard-won reputation, impacting both your clients and your financial performance.
In today's data-driven world, protecting personal data is critical. By implementing the proper procedures, policies and resources to help you embed the seven data protection principles, you can be confident your business is best placed to fulfil GDPR’s requirements.
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.